Toward a stage theory of the development of employees' information security behavior
Karjalainen, M., Siponen, M., & Sarker, S. (2020). Toward a stage theory of the development of employees' information security behavior. Computers and Security, 93, 101782. https://doi.org/10.1016/j.cose.2020.101782
Published in
Computers and SecurityDate
2020Copyright
© 2020 The Authors
Existing behavioral information security research proposes continuum or non-stage models that focus on finding static determinants for information security behavior (ISB) that remains unchanged. Such models cannot explain a case where the reasons for ISB change. However, the underlying reasons and motives for users’ ISB are not static but may change over time. To understand the change in reasoning between different antecedents, we examine stage theorizing in other fields and develop the requirements for an emergent theory of the development of employees’ ISB: (1) the content of stages based on the stage elements and their stage-specific attributes; (2) the stage-independent element explaining the instability of ISB; and (3) the temporal order of stages based on developmental progression. To illustrate the stage theory requirements in an information security context, we suggest four stages: intuitive thinking, declarative thinking, agency-related thinking, and routine-related thinking. We propose that learning is a key driver of change between the stages. According to our theorizing, employees start with intuitive beliefs and later develop routine-related thinking. Furthermore, using interview data collected from employees in a multinational company, we illustrate the differences in the stages. For future information security research, we conceptualize ISB change in terms of stages and contribute a theoretical framework that can be empirically validated. In relation to practice, understanding the differences between the stages offers a foundation for identifying the stage-specific challenges that lead to non-compliance and the corresponding information security training aimed at tackling these challenges. Given that users’ ISB follows stages, although not in a specific order, identifying such stages can improve the effectiveness of information security training interventions within organizations.
...


Publisher
ElsevierISSN Search the Publication Forum
0167-4048Keywords
Publication in research information system
https://converis.jyu.fi/converis/portal/detail/Publication/34957381
Metadata
Show full item recordCollections
Additional information about funding
No funding information.License
Related items
Showing items with similar title or keywords.
-
Influence of Organizational Culture on Employees Information Security Policy Compliance in Ethiopian Companies
Ejigu, Kibrom; Siponen, Mikko; Muluneh, Tilahun (Association for Information Systems, 2021)Information security is one of the organizations' top agendas worldwide. Similarly, there is a growing trend in the kinds and rate of security breaches. Information security experts and scholars concentrate on outsiders' ... -
Investigating the Impact of Organizational Culture on Information Security Policy Compliance : The Case of Ethiopia
Ejigu, Kibrom Tadesse; Siponen, Mikko; Arage, Tilahun Muluneh (Association for Information Systems, 2021)Information security is one of the organizations' top agendas worldwide. Similarly, there is a growing trend in the kinds and rate of security breaches. Information security experts and scholars concentrate on outsiders' ... -
The moderating impact of organizational culture on information security compliance
Ejigu, Kibrom; Siponen, Mikko; Muluneh, Tilahun (Addis Ababa University Press, 2023)This research paper investigates the association between organizational culture and employees' compliance with information security policies. Drawing upon rational choice theory (RCT) and the competing values framework ... -
Moral sensitivity in information security dilemmas
Mohammadnazar, Hojat; Ghanbari, Hadi; Siponen, Mikko (Association for Information Systems, 2019)Activities that undermine information security such as noncompliance with information security policies raise moral concerns since they can expose valuable information assets. Existing research shows that moral reflection ... -
Common Misunderstandings of Deterrence Theory in Information Systems Research and Future Research Directions
Siponen, Mikko; Soliman, Wael; Vance, Anthony (ACM, 2022)In the 1980s, information systems (IS) borrowed deterrence theory (DT) from the field of criminology to explain information security behaviors (or intention). Today, DT is among the most commonly used theories in IS security ...